Enlarge image
Logo of Apple's App Store: This is where the fraudsters placed their fake app
Photo:
Patrick Semansky/AP
Password managers are actually a practical and effective way to protect yourself from hackers. They automatically assign secure passwords, save them bundled in an app and then users can use them to log into all online accounts on all their devices. However, this only works if users also use the provider's real app.
Enlarge image
Photo: Bleeping Computer
In the case of the popular password manager LastPass, fraudsters have now managed to sneak a fake version of the app into Apple's App Store. At first glance, the fake looked quite similar to the real app. Anyone who quickly clicked through the App Store could fall for it. The fraudsters only changed one letter and stated “LassPass” as the name. In addition, they used a similar-looking logo, as “Bleeping Computer” reported.
The operators of LastPass issued a warning on Wednesday and said they were trying to have the app removed. By Friday morning it could no longer be found in the Apple App Store. However, on Thursday, when "Bleeping Computer" was the first media to report on the case, it was still online, it was said.
Popular trick used by cybercriminals
Criminals regularly use fraudulent apps that copy popular apps in order to access user data. Investigating authorities warn that fake apps continue to play a role in cybercrime. In the current case, attackers could have accessed a particularly large amount of information because they could use the LastPass master password to gain access to all stored passwords. (Read more about why real password manager apps can still be good protection against hackers here.)
more on the subject
What those affected should do now: Hackers have stolen password vaults from LastPass customers By Patrick Beuth
Advance from Apple, Google and Microsoft: Forget your passwordsBy Matthias Kremp
Instructions for beginners: How to set up a password manager By Eike Kühl
Apple has actually built in numerous protective measures to ensure that fake apps don't even appear in the App Store. In political and legal disputes about whether the company should open its app store more to third-party providers, the company regularly argues with its own security systems. The current case is correspondingly embarrassing for Apple. The company has now confirmed that the provider of the fake app has been removed from the App Store.
This is how you recognize fake apps
Anyone who downloads an app from the App Store should always make sure that it is named correctly and uses the manufacturer's real logo. In addition, counterfeits can be uncovered by not giving the name of the real manufacturer as the developer. In the current case there was an incorrect name in the field.
Users who have installed and used the wrong app should urgently change the main password of their LastPass account. This can be done through LastPass.com. Additionally, any passwords that were managed through LastPass should be changed.
hp